Package: openssh-server
Version: 1:9.9p2-1
Severity: important
Hi!
During the bookworm cycle security concerns were raised about users
being able to write to other users terminals by default. This
resulted in CVE-2024-28085 against util-linux and util-linux
improving the write and wall utilities. But ultimately util-linux
can only catch the most bad situations, and other programs with
similar facilities exist.
As a fuller fix, util-linux for trixie has remove write and I
intended to turn off g+w by default in trixie. This is the
equivalent of running "mesg n" by default for all users, which was
already done by default for root in root's default bashrc.
This report comes quite late to you in the trixie cycle, as I
*thought* a) programs honor TTYPERM in /etc/login.defs or b) at
least use the default mode set on the /dev/pts mount point, and that
systemd sets/corrects the mode on that. Turns out none of this is true.
I've now filed a bug against initramfs-tools to fix the default
/dev/pts mode. But I've also figured out openssh has its own idea
and sets 0620 on pseudo-terminals, if group "tty" exists. This does
not seem to be configurable in any way.
Please find a trivial patch attached to always set 0600 instead.
The patch should work as-is in debian/patches/; I've done a test
build with it and confirmed it works for me.
I guess the patch is not forwardable as is, but at least would get
trixie into a secure-by-default state. Please apply it.
Again, sorry for being this late.
Thanks,
Chris
From: Chris Hofstaedtler <z...@debian.org>
Date: Thu, 6 Mar 2025 22:48:44 +0100
Subject: Deny tty group based write access to users terminals
Apply a fuller fix for CVE-2024-28085 by turning off group write
access on users terminals by default. This is the equivalent of
running "mesg n" for each user, as commonly done for root.
Linux systems supposedly have this configurable in /etc/login.defs
but it turns out all relevant programs just hardcode their own values.
Signed-off-by: Chris Hofstaedtler <z...@debian.org>
---
diff --git a/sshpty.c b/sshpty.c
index 7870c6482..d62237206 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -175,7 +175,7 @@ pty_setowner(struct passwd *pw, const char *tty, const char *role)
if (grp == NULL)
debug("%s: no tty group", __func__);
gid = (grp != NULL) ? grp->gr_gid : pw->pw_gid;
- mode = (grp != NULL) ? 0620 : 0600;
+ mode = 0600;
/*
* Change owner and mode of the tty as required.
